Between 2015 and March 2018, there was a serious privacy hole in the Google Plus social network that meant users’ names, email addresses, dates of birth, genders, profile photographs, places lived, relationship statuses, and occupations were exposed to third-party app developers through an API bug.

In March 2018, Google chose not to go public that it had been failing to protect its users’ privacy for years, fearful that it would find itself in the media’s headlights when arch-rival Facebook was being quite rightly being flayed over Cambridge Analytica.

In fact it took until October 2018 for Google to finally admit that there had been a problem, and that approximately half a million Google Plus profiles had been potentially affected in just the two weeks prior to patching the bug, and 438 separate third-party applications having access to the unauthorised Google Plus data.

In light of the revelations, and presumably to take the steam out of the attacks it knew it was about to receive from the media and regulators, Google announced that it would be closing down Google Plus by the end of August 2019.

Google’s failure to protect user data, and its subsequent cover-up, would be bad enough… but now there’s more bad news.

Google has now admitted that Google Plus has suffered another security failure, allowing the personal information of 52 million users to be accessed by third-party apps and developers without permission.

So, even if you had your profile information - such as your name, email addresss, occupation, etc etc - set as “not-public”, the information could be accessed by unauthorised parties.

According to Google, the flaw was introduced through a software update in November and was spotted less than a week later. The search giant says that it has seen no evidence that any app developers were aware of the flaw or misused it.

Google says it will now shut down Google Plus in April 2019, five months sooner than the previous announcement suggested:

With the discovery of this new bug, we have decided to expedite the shut-down of all Google+ APIs; this will occur within the next 90 days. In addition, we have also decided to accelerate the sunsetting of consumer Google+ from August 2019 to April 2019.

About the author, Graham Cluley

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy.

Smashing Security podcast

Online drug dealers get busted due to poor OPSEC! People are still failing to wipe their USB sticks properly! A potential presidential candidate is outed as a former hacker! Flat Earthers! Pi! Empathy!